Proposed HIPAA changes establish standards that would be difficult for providers to meet and should be scaled back, according to comments filed by CHIME.
The organization said the rules rely too much on technical capabilities that are not widely available and fail to acknowledge the amount of human intervention that will be necessary to achieve compliance.
In particular, a provision of the 2002 HIPAA Privacy Rule says that covered entities are responsible for PHI contained within a designated record set (DRS), and the current proposed rule would extend that requirement to include a new right to a consolidated access report.
“CHIME believes the concept of DRSs remain too broadly defined and too variable in today’s health IT environment,” the comment letter noted. “Moreover, the ability to aggregate hundreds or even thousands of access events in any automated fashion is not realistic for most covered entities.”
For these and other reasons, CHIME is urging rule-makers not to include access report requirements in the final rule. If rule-makers include access reports in the new rules, CHIME believes that only data gathered through certified EHRs, not the full array of designated record sets, should be expected to populate such reports.
“CHIME is extremely concerned about the entire concept of access reports,” said Pam McNutt, SVP/CIO at Dallas-based Methodist Health System and chair of CHIME’s Policy Steering Committee. “We believe the access logs, report filters, and other technical specifications needed to generate an access report would be inconsistent or nonexistent across many clinical data sources that might be considered part of a DRS.”
The HHS’s OCR published the notice for proposed rulemaking for Accounting of Disclosures and Access Reports on May 31 and plans to publish the final rule later this year. For accounting of disclosures, the NPRM addressed a statutory requirement under the HITECH Act to extend requirements to EHRs.
CHIME supports a number of changes in the proposed accounting of disclosures rule, especially in areas where the rule clarifies and simplifies compliance requirements. For instance, the NPRM would limit the types of disclosures subject to the accounting requirement, rather than the current practice of listing exemptions to the requirement. But the organization states that rule-makers need to extend implementation and production timelines.
“Generating an accounting of disclosures is today largely a manual process for most covered entities, and we believe it will remain so for some time to come,” the comment letter notes. “Producing limited or customized reports of the kind described in this NPRM could be difficult and time-consuming.”
CHIME also suggests that the current 60-day timeline for responding to accounting of disclosure requests be retained, not shortened to 30 days as suggested by the proposed rule.
Access reports would detail who has accessed PHI so individuals can learn if specific persons have accessed information from their records. Because these access reports would not differentiate between uses of that information for care delivery and disclosures of the information, many legitimate access events could occur across clinical systems that fall outside certified EHRs, complicating any requirement to deliver a consolidate report or allowing for customized views.
“The proposed rule seems to overestimate the technical capabilities currently available for producing a consolidated access report,” said George “Buddy” Hickman FCHIME, EVP/CIO at Albany (N.Y.) Medical Center. “To aggregate information for an access report, both across the covered entity and incorporating information from business associates, would require the purchase of new and expensive software tools, additional data storage and multiple FTEs dedicated to pulling and consolidating logs from disparate systems.”
In addition to CHIME’s overall concerns with access reports, the letter also voiced concern about releasing the names of staff members who have accessed a patient’s information. “With access reports, disclosing every name has the potential to expose employees to unnecessary scrutiny or other negative consequences. This could be viewed as a violation of employee rights.”
As an alternative, CHIME recommends that patients seeking information about past access to their protected information provide a covered entity with specific names of those who may have inappropriately accessed their information.